What is the threat?
The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have discovered a new malware variant called HOPLIGHT. The malware has been identified as the work of HIDDEN COBRA which refers to activity from the North Korean government. The malware targets US companies and government agencies.
Why is this noteworthy?
In an advisory this week from US-Cert multiple Indicators of Compromise associated with HOPLIGHT have been released such as IP addresses, hashes and URLs. HOPLIGHT is a powerful backdoor trojan that collects information about an infected device and sends that data to a remote server and can also receive commands from a command and control server.
What is the exposure or risk?
This phishing campaign seems to be a consumer fraud attack for Netflix accounts, rather than targeted attacks for corporate credentials or business data. Once the attacker has the login credentials, they can assess the user. If the user is an executive, they can get access to more than just a Netflix account. Access to a mobile phone account can be used to launch business email compromises, fraudulent wire transfers, or even ransomware.
What can you do?
SKOUT recommends the following:
- Enable end point protection to block suspicious inbound files and communication.
- Keep systems up to date.
- Have complex passwords on important accounts.
- Block all IP addresses and hashes considered to be an indicator of compromise associated with HOPLIGHT. The link to the US Cert advisory is in the references.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
- https://www.darkreading.com/threat-intelligence/new-hoplight-malware-appears-in-latest-north-korean-attacks-say-dhs-fbi/d/d-id/1334406
- https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
If you have any questions, please contact our Secure Intelligence Center.
